GTMaritime director Mike McNally exposes how cyber criminals will exploit the weak links in shipping companies and port operators – the human element and their emails
Fraudulent emails designed to make recipients hand over sensitive information, extort money or trigger malware installation on shore-based or vessel IT networks remains one of the biggest day-to-day cyber threats facing the marine industry.
Technical solutions offer a robust first-line defence by preventing deceptive messages from ever reaching staff inboxes but cyber criminals are continually experimenting with new techniques to evade detection.
Recent studies suggest criminals are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from the chief executive or other high-ranking colleagues in the hope staff lower down the chain will drop their guard and follow the request unquestioningly.
Worryingly, maritime-specific examples are beginning to surface. A recent incident in the Gulf of Guinea saw cyber criminals send spoof emails requesting a cargo manifest, with a view to possibly attacking the vessel and targeting the containers with the highest-value contents. The more convincing an email appears, the greater the chance employees will fall for the scam.
To address this residual risk, software-based protection should be treated as one constituent of a wider strategy that also encompasses the human-element as well as organisational workflows and procedures.
It is imperative to:
Familiarising staff with the various strategies fraudsters employ to deceive them and sharing practical advice for distinguishing dishonest messages from legitimate ones can make an enormous difference.
Real-life examples will help impress upon staff the importance of taking the threat seriously, particularly if they are drawn from a maritime setting.
To maximise its effectiveness, formal training should be reinforced by periodic refresher courses. Putting up posters in high footfall areas or notices near PC terminals act as constant reminders to crews not to let their guards down and stay vigilant.
Checklists are a simple but good way of instilling new behaviours and preventing carelessness as long as they are not perceived as perfunctory, annoying or unnecessary. Giving crew a say in what items goes on a list or letting them adjust it according to their needs or work style can engender a greater sense of ownership.
With cyber security now coming under the remit of the ISM Code, many shipping companies are already in the middle of assessing their exposure to risk and developing IT policies for inclusion in their Safety Management Systems aimed at mitigating it.
Now is a perfect opportunity to reflect on how phishers might target and manipulate staff and to devise formal procedures for handling suspect phishing messages or next steps if staff are a victim of an attack.
A copy of the policy – written in plain language – should be disseminated to crew, explaining what to do and who to contact if they receive an unusual or suspect request. Make sure staff have the confidence to question emails, even if they appear to come from someone important within the organisation.
Punishing staff it they are caught out is generally considered counterproductive. Phishing emails are increasingly hard to spot, and penalties will discourage them from reporting an incident and delay interventions to reduce the after effects. It may make them so fearful they spend too much time and energy scrutinising every email they receive.
On the technical side, admins can configure user accounts to limit the impact of messages containing malicious code. The rule of thumb here is to provide staff with the lowest level of user rights possible while still allowing them to perform their roles. At the very minimum, they should not be accessing the web or checking emails from an account with administrator privileges.
An effective way of assessing how big a threat phishing poses to an organisation is to create and send a phony scam email and see how staff respond. Do they click a link right away? Do they recognise that it’s a scam and delete it? Do they contact a senior colleague to warn them? The results will help guide what security measures are needed and act as a reference point when it comes to staff awareness training.
GTMaritime is carrying out such exercises with several customers to gauge how staff across their shoreside and fleet operations react to phishing attacks. Maintaining a high level of vigilance is vital because no matter how many phishing attacks are thwarted by filters and other technological safeguards, the possibility of one slipping through the net always remains. In short, there is no room for complacency.
Cyber security will be discussed during Riviera Maritime Media’s Optimised Ship Forum in London on 10 December